Cyber-attacks can have a devastating impact on a company; it can be even more devastating when the attack is made by an employee or other insider.
The trusted insider has distinct advantages to the external attacker: access to and knowledge of people, structures and systems that can cause critical damage to an organisation from inside its own firewalls. And often the assumption is that the perpetrator must be external to the organisation. Yet deliberate insider attacks are far more common than you may think.
Data breaches can be accidental, but they can also be deliberate and knowing the risks your businesses faces from insiders is vital if one is to be prepared.
The 2002 movie Catch Me If You Can, starring Leonardo Di Caprio, was loosely based on the life story of Frank Abagnale. Frank was a master fraudster who, after his arrest, used his criminal skills to help the FBI investigate fraud. He went on to set up his own detective agency in 1976 and quickly appreciated the role that computers played in those early days of cybercrime. Frank became one of the first cybercrime detectives and his experience is worth noting. He famously said:
“Every case involving cybercrime that I’ve been involved in, I’ve never found a master criminal sitting somewhere in Russia or Hong Kong or Beijing. It always ends up that somebody at the company did something they weren’t supposed to do. They read an email; went to a website they weren’t supposed to.”
In Frank’s view cybercriminals were usually insiders. Employees who accidentally opened the wrong email or who deliberately took malicious action against their company because they were disgruntled. Cybercriminals didn’t need the polished talents of the 1960s con artist, they could just sit and wait, remotely, for a door to open and then, when it did, they were in.
What is so revealing about this is for just how long cybercrime has been facilitated by an insider. There has been a threat within since the earliest computers served the very few who could afford them. And statistics back this up as a current threat. In a 2018 Veriato White Paper, 53% of organisations surveyed confirmed they had been the victim of an insider attack in the previous 12 months, whilst in a 2020 global survey 68% confirmed their belief that insider attacks were becoming more frequent. These surveys are important as, if law enforcement and regulators are correct, a high percentage of cybercrime goes unreported.
So now, in 2021, what sort of insiders commit or facilitate cybercrime against their own organisation and how can we spot them? I use the term insider because it’s broader than employee. An insider could be an employee or staff member, but they could equally be a director, partner or service provider. Anyone, in fact, that has inside access to your premises, IT systems and people. They fall, for descriptive purposes, into one of three categories:
The first is the rogue. The rogue has legitimate access that they deliberately misuse to steal or compromise data. The rogue is a malicious actor, often motivated by financial greed or competing commercial interests or a grudge against the organisation or people within it. The rogue, whatever their motivation, means to cause harm.
The rogue differs from our second category, the pawn. The pawn, as the chess reference suggests, is being moved around by others. They may be a victim of social engineering or the unknowing victim of a targeted phishing attack. The pawn has no malicious intent but has been tricked or manipulated into opening the door to let malicious actors in.
Finally, there is the klutz. The klutz is neither malicious nor manipulated but the victim of an accident. The klutz makes the error that causes or facilitates the data breach. In the majority of breach incidents reported to the Information Commissioner’s Office the blame is put on a klutz by the reporting organisation. But a klutz may in fact be a rogue if they deliberately and maliciously opened a link. Or a pawn if they were manipulated without their knowledge. Trying to decide the category of insider can be challenging and, in the absence of evidence as to motive, the klutz will be the default determination.
The message here is that organisations need to on guard for the rogue and evidence of malice. There are identifiable traits and behaviours that may point to a rogue in your organisation. It is important to appreciate these traits are not conclusive proof but might be viewed as cautionary smoke signals:
- Displays low morale
- Demonstrates opposition to company activities and/or violates company policies and practices
- Expresses dissatisfaction to others and appears disgruntled
- Discusses the possibility of leaving or taking up new opportunities
- Attempts to bypass security
- Frequently present in the office or is frequently logged on during out-of-office hours.
These traits and behaviours will likely manifest themselves as digital clues so an organisation should conduct effective but legitimate, proportionate and lawful levels of monitoring to pick these up. Those digital clues might include:
- Accessing or searching for data not associated with their job function
- Accessing data that is outside of their usual routine
- Unexplained downloading or accessing of large amounts of data
- Multiple requests for access to resources not associated with their job function
- Data hoarding, saving to local machine or storage devices
- Using unauthorised storage devices such as USB drives
- Emailing and moving data from their company email account to their personal email account
- Using personal cloud storage
When looking for digital clues the golden rule is to look at everyone. Do not assume that your senior management or IT guardians, the very people trusted to look after your IT systems, are beyond suspicion. I have been involved in more than one case where the senior IT officer has launched a crippling insider attack on his own organisation. As the Roman philosopher Juvenal queried: Quis custodiet ipsos custodes? Who will guard the guards? Take note, even the IT team will need monitoring.
It is paramount, however, that monitoring strikes the right balance and stays the right side of the insider’s Article 8 right to privacy and family life. To achieve that, your organisation’s approach to monitoring should be widely circulated so that there is an expectation that emails, other communications, internet searches and IT system use will be subject to surveillance.
Case law tends to focus on whether the employee had a reasonable expectation of privacy in relation to the actions in question. Ensure, so far as possible, that the answer to this is that there was no reasonable expectation of privacy for those actions so that Article 8 may not be engaged. Otherwise the question for a court will be whether the interference with that privacy was lawful and proportionate.
Proportionality will be key. An organisation cannot grant itself absolute power by putting in place draconian policies, they need to be tempered and proportionate to the identified risk. Monitoring will also fall foul of Article 8 when the insider has not been sufficiently informed in advance of the nature and extent of the monitoring. This is crucial. The insider should have been forewarned as to which actions would subject to surveillance, whether the content of certain communications would be examined and what could be done with that monitored material and by whom.
But beware, merely taking steps to remove the expectation of privacy does not of itself guarantee that Article 8 will not be engaged when the particular circumstances are scrutinised. Targeting individuals, as opposed to company-wide monitoring, can also lead to allegations of unlawful discrimination where the insider believes they have been unfairly targeted.
The personal data that is processed by your monitoring will be caught by the GDPR and Data Protection Act 2018. That will mean identifying a genuine business need to legitimise the monitoring and reaching a conscious decision that the monitoring remains justified, having gone through a careful assessment of organisational benefit versus adverse impact on the insider. It will also mean that the GDPR data principles will apply to the personal data so that it must be processed in a lawful, transparent manner, collected only for explicit, legitimate purposes, be proportionate and kept securely.
Significantly the insider, as a data subject, has the right to request access to the results and records of the monitoring they were subject to. It doesn’t take a genius to work out that there is risk in monitoring – it’s important to get it right. If you confront a rogue with evidence from monitoring, there’s a good chance of a fightback with the possibility of discrimination, harassment, defamation, constructive dismissal and data protection claims. Monitoring is essential but it is something of a liability tightrope with a careful balance to be struck.
The pandemic has also facilitated the insider threat through the increase in remote and hybrid working practices. The entwinement of cybersecurity and coronavirus, particularly the impact of coronavirus on the workplace, is a game changing event that cannot be ignored in any future cybersecurity strategy. Statistical evidence indicates an eightfold increase in those working predominantly from home during the pandemic. That sharp rise in home working was met with a 76% uptick in the frequency of cyber-attacks. Cybercriminals were quick to realise the vulnerabilities and opportunities presented by the pandemic.
Remote working amplifies the insider risks because it becomes more difficult to convey, embed and enforce safe working practices or monitor staff. Outside the office the chance of being a klutz rises. Equally, outside the office the rogue can more easily disappear because he has already left the building!
When people leave the office building, there is a mental switch that takes place. There is less cohesion to company security values such as only using company issue devices, only using secure company wi-fi, only discussing work issues with colleagues or only in the hearing of colleagues. This last point is important. Outside the office there is huge potential for an employee to become a pawn; working from a café or other social venue with open, non-secure wi-fi presents strangers with sinister opportunities to use anything seen or overheard to facilitate a hack or social engineering.
I think as lawyers we sometimes look for written word legal solutions such as policies and contracts. There is certainly a place for those in addressing the insider threat, but we also need to look closely at our organisation’s culture.
Culture is more than just the people within an organisation. It is also more than an aspirational statement of company values. Culture should reflect everyone’s practices and expectations. It includes, importantly, how we perform, behave and problem solve together. If your organisation can instil and embed the right cyber-secure culture and self-policing behaviours in its insiders, then it will go a long way to reducing the threat.
A realistic strategy also assumes that the threat from the enemy within will never completely go away. Organisations should ensure their board has quantified the threat risk profile; the risk should be discussed at board level and a decision made as to who owns that risk. Any risk assessment should include an organisation identifying its crown jewels and to better ensure that its most important assets are best protected in the event of an attack.
In 1838 Abraham Lincoln posed and the answered the following question:
“At what point, then, is the approach of danger to be expected?” I answer, if it ever reach us, it must spring up amongst us. It cannot come from abroad. If destruction be our lot, we must ourselves be its author and finisher.”
The analogy here is clear. Danger comes not only from without but also from within. Indeed, the very access and trust which insiders require to fulfil their roles enables them to launch a malicious attack or to assist others whether deliberately or unwittingly. It follows that access should be carefully controlled by management. An insider should only have the access and permissions that are essential to their role at any material time.
So, how can an organisation work to defeat the internal enemy before destruction be its lot? There is no prescriptive battle plan but, at a minimum, I would recommend:
- Privacy policies that are clear and transparent and understood by all
- Acceptable Cyber Use Policy
- Limit privilege and permissions to restrict the use of data and systems to perform an authorised business function
- Know where your data resides and produce an inventory
- Foster and embed an appropriate cyber-secure, self-policing culture
- Implement training and awareness programmes with ongoing training on data protection and how to spot and report concerns.
- Reporting lines should be straightforward and responsive to concern
- Monitor insiders with legitimate, proportionate and lawful surveillance.
In conclusion, there is, in my view, no simple solution because cybersecurity is more than complicated, it is complex. It was once explained to me by an academic that, in system theory, the difference between complicated and complex is that a complicated system can be solved with enough brain or computing power, whereas complex systems cannot be solved. Here, then, we may find there is no perfect solution but there may well be ways to mitigate and constrain the enemy within.